Texas Says 22 Local Government Agencies Hit by Ransomware

Officials say the ransomware attack didn't compromise state government networks. (Photo of the Texas state capital in Austin by Garrett Seeger, via Flickr/CC.)

Ransomware attackers continue to focus on local government entities as well as smaller businesses. While it's not clear how many crypto-locking malware attack attempts succeed, the lure of a payday appears to be driving a steady stream of criminals to continue such campaigns.

Recent victims have included a number of local government entities in Texas, who have collectively received a $2.5 million ransom demand. The state initially warned that 23 organizations had fallen victim to the Friday morning attack (see Texas Pummeled by Coordinated Ransomware Attack).

On Tuesday, officials revised the victim count down slightly, to 22 affected entities. The Texas Department of Information Resources is leading the incident response effort, assisted by the U.S. Department of Homeland Security, the FBI's cyber division and others.

All 22 affected government agencies or organizations are working with DIR to assess the damage and restore systems.

"More than 25 percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual," DIR says, adding that the state government's systems and networks were not affected by the ransomware outbreak.

Ransom Demand: $2.5 Million

State officials have so far declined to comment on the type of ransomware used by attackers, whether any ransom note has been received, or name the victims.

"Evidence continues to point to a single threat actor. Investigations into the origin of this attack are ongoing," DIR says in a statement. "Because this is an ongoing federal investigation, we cannot provide additional details about the attack."

But on Wednesday, Gary Heinrich, the mayor of one of the affected municipalities - Keene, Texas, with a population of 6,100 - told NPR that attackers collectively demanded a ransom worth $2.5 million to restore all crypto-locked systems across the 22 municipalities. He said the city outsources its IT operations. "They got into our software provider, the guys who run our IT systems," Heinrich told NPR. "A lot of folks in Texas use providers to do that, because we don't have a staff big enough to have IT in house."

On Facebook, the city said it couldn't reveal many details due to the ongoing investigation. But it said that the city cannot handle credit card payments or utility disconnections, although it noted that all emergency services were working as normal and "our drinking water is safe."

Also hit by the attack was the city of Borger, which has a population of about 13,000. In a statement released Monday, officials said that "vital statistics (birth and death certificates) remains offline, and the city is unable to take utility or other payments." It also noted: "Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off."

Steps to Recovery

To help affected entities recover, DIR notes that it has used the state government's purchasing power to negotiate competitive discounts with IT product and service providers, including for "seat management services," referring to externally managed PCs or workstations.

Estimated Ransomware Costs - Texas 2019

Source: Texas Department of Information Resources and Texas A&M University System

"The management services contracts can help you rebuild your networks or systems to ensure your systems are up to date and able to function in today's technology environment," DIR says. "In addition, to assist public entities in their recovery efforts, DIR has negotiated the addition of network components to the Dell Bulk Purchase Initiative, including servers, other networking hardware, and network virtualization products."

Two Iranians indicted by the U.S. Justice Department last year were charged with earning more than $6 million from victims of their SamSam ransomware. Some 200 victims, including cities and hospitals, paid off the attackers, while others - including Atlanta - did not.

Long Tail of Attacks

Security experts say attackers have long demonstrated that they're not averse to targeting small businesses and smaller government agencies and entities, especially after having already tried their hand at bigger targets.

"Local government systems have become the 'reunion' tours of most forms of malware: First the attackers go after the larger more lucrative targets, who then start to address the vulnerabilities," says John Pescatore, director of research for the SANS Institute, in a recent SANS newsletter. "Then we usually see waves of the same attacks succeeding at smaller firms and then state and local agencies."

Pescatore says smaller firms and government agencies' continued susceptibility to the latest types of online attacks highlights that they have "staffing, funding and governance obstacles that are not being overcome," and also that leaders are failing "to take advantage of advanced knowledge that those high-profile attacks of last year are going to hit them this year."

Call to Action

A coalition of government agencies is calling on state, local, territorial and tribal government organizations to get their act together, noting that prevention remains "the most effective defense against ransomware."

These steps include backing up all essential systems immediately, and then on an ongoing, daily basis, as well as regularly refreshing employee training on how to recognize the top ransomware infection vectors, including phishing attacks and suspicious links, as well as giving them out-of-band ways to contact IT staff.

In addition, they called on all government agencies to regularly review and update their cyber incident response plans. "Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed," they say. "Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS-ISAC, in the event of an attack."

Further Defenses

In the wake of the attacks against Texas government agencies, the state's DIR has also issued these six recommendations to help all organizations better defend themselves against ransomware:

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.